Malware Analysis Report

2024-09-09 16:08

Sample ID 240616-cq6drsvhnh
Target b96ae1bc59107140e911d3fb3561f9ab.bin
SHA256 67f91c80a902ffd78c3a4224372cd71cb37a2a0e2a48773f8e214d65a95df3f0
Tags
irata discovery impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67f91c80a902ffd78c3a4224372cd71cb37a2a0e2a48773f8e214d65a95df3f0

Threat Level: Known bad

The file b96ae1bc59107140e911d3fb3561f9ab.bin was found to be: Known bad.

Malicious Activity Summary

irata discovery impact

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 02:17

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 02:17

Reported

2024-06-16 02:21

Platform

android-x86-arm-20240611.1-en

Max time kernel

12s

Max time network

137s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation8665662193411072270tmp

MD5 27dd75039039b7e1f7ea6194924bd4ee
SHA1 106ff85650ff9b7028b2964c84e1847f4bdfffd6
SHA256 4ed21927527963dac32199051a627a3c1690a2a148a58de0c829b791572df70c
SHA512 88ab8176362ea002aa6a3f3ec5dca3101d0195274edf54f231722d4c3114f1a461a838d92febffe0ac4207347e9f2738818604866362137e5d429754c3a1fab6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 02:17

Reported

2024-06-16 02:21

Platform

android-x64-20240611.1-en

Max time kernel

13s

Max time network

151s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.204.78:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation799838620250982220tmp

MD5 310c07b037787ca7f5ee3e29c73b67b4
SHA1 b858f2670e90e01bb54e3f736f6f34293682b571
SHA256 7d696537988d279dba280f48e46e41f59271a4fd3d10c5575caa8eb7d66cf2e7
SHA512 90f71d61770c4ff98429a7c0f56d5bda34dbd797abdf141a7f9c630483f1d9cd7523ed054802dac883443e4895e890f8dd6ddd5567faabe8853837a41dc2fbe9

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 02:17

Reported

2024-06-16 02:21

Platform

android-x64-arm64-20240611.1-en

Max time kernel

14s

Max time network

132s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation249561472871966303tmp

MD5 6735de26f4121753996ff237cca8059d
SHA1 d216330b36958a86b18e8be9a5b7a6e846d0c09a
SHA256 46685bb885c0c97908f0d398a3949e7907b32bf0f064f35bb5d858f6499c82b5
SHA512 9e137cc6e188ba8e137cf21c6e0947a239056827ce2bb399b61078e0abd3793a9dea80f56528890fec31c52f69fcdcf9016c04644df11ea16e6a2367de0ee726

/data/data/org.bax.project/files/PersistedInstallation8398196258379983893tmp

MD5 a588ad66ae946cfe2c74cd9c21650bb2
SHA1 20bc7e3d850cbe5e0142c1b648713484cecd81ea
SHA256 9002a2963e046c696901424065cfba5af5b69abeefa7cd78e94ed3e5ebb15f0c
SHA512 2081f1bc1c1f5451259e5f5d0b1dfb8d0b6cde6f2913b57d7ef40494d3786a7497a0fed7c9171c18bc6eba8053d45e2c06b8af639c09a0c4b0b7542b59b882df